we are observing the no. of conn thru asa 5580 is getting increased and one a fine day it will stop sending/receiving traffics.
firewall# show conn count
1900000 in use, 2000008 most used
As per the datasheet of this asa, the max conns permissible is 2 million (20 lacs). and the output shows that currently 1900000 connections are there and 2million+8 connections are most used.
when i run " show local-host | include host|count/limit ", below are the outputs showing for max connections..
local host: <172.x.x.x>,
TCP flow count/limit = 35857/unlimited
TCP embryonic count to host = 25
UDP flow count/limit = 0/unlimited
local host: <DC01>,
TCP flow count/limit = 306/unlimited
TCP embryonic count to host = 8
UDP flow count/limit = 736807/unlimited
local host: <DC02>,
TCP flow count/limit = 246/unlimited
TCP embryonic count to host = 2
UDP flow count/limit = 582010/unlimited
local host: <172.y.y.y>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
UDP flow count/limit = 308412/unlimited
These are the top 4 connections, i wonder should we consider only the tcp flow count or udp as well ??
Could you pls help in identifying the geniune connections ? is there any combination of flags or something to be executed in show conn command in order to identify the fake or unwanted connections...is there any way to proceed further?
I have had to deal with a similiar problem only 2-3 times. And it was always a "contaminated" computer/server.
In the latest case a single server in an environment with ASA5540 was pushing so many connections that it reached the maximum connections for that ASA model (400 000)
First I would start checking what connections are beeing formed from the host that you listed above. I guess you should usually see some sort of well known port used for any service thats needed. Might also help if there was someone there that knows exactly what connections your servers etc. are supposed to handle.
How many hosts are there in your network?
What has been the normal trend with the connection count before you ran into this problem?
How did you notice this problem? Connections werent being formed through the ASA?
What have you done so far regarding this problem?